kernel26-magellan/patches-2.6.16-r10/0103-2.6.16.12-vm86-call-audit_syscall_exit.patch

From: Jason Baron <jbaron@redhat.com>
Date: Tue, 31 Jan 2006 21:56:28 +0000 (-0500)
Subject: [PATCH] make vm86 call audit_syscall_exit
X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=f38f300d4a0698791bb11294903702ddb1c4e9d8

[PATCH] make vm86 call audit_syscall_exit

hi,

The motivation behind the patch below was to address messages in
/var/log/messages such as:

Jan 31 10:54:15 mets kernel: audit(:0): major=252 name_count=0: freeing
multiple contexts (1)
Jan 31 10:54:15 mets kernel: audit(:0): major=113 name_count=0: freeing
multiple contexts (2)

I can reproduce by running 'get-edid' from:
http://john.fremlin.de/programs/linux/read-edid/.

These messages come about in the log b/c the vm86 calls do not exit via
the normal system call exit paths and thus do not call
'audit_syscall_exit'. The next system call will then free the context for
itself and for the vm86 context, thus generating the above messages. This
patch addresses the issue by simply adding a call to 'audit_syscall_exit'
from the vm86 code.

Besides fixing the above error messages the patch also now allows vm86
system calls to become auditable. This is useful since strace does not
appear to properly record the return values from sys_vm86.

I think this patch is also a step in the right direction in terms of
cleaning up some core auditing code. If we can correct any other paths
that do not properly call the audit exit and entries points, then we can
also eliminate the notion of context chaining.

I've tested this patch by verifying that the log messages no longer
appear, and that the audit records for sys_vm86 appear to be correct.
Also, 'read_edid' produces itentical output.

thanks,

-Jason

Signed-off-by: Jason Baron <jbaron@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

--- a/arch/i386/kernel/vm86.c
+++ b/arch/i386/kernel/vm86.c
@@ -43,6 +43,7 @@
 #include <linux/smp_lock.h>
 #include <linux/highmem.h>
 #include <linux/ptrace.h>
+#include <linux/audit.h>
 
 #include <asm/uaccess.h>
 #include <asm/io.h>
@@ -252,6 +253,7 @@ out:
 static void do_sys_vm86(struct kernel_vm86_struct *info, struct task_struct *tsk)
 {
 	struct tss_struct *tss;
+	long eax;
 /*
  * make sure the vm86() system call doesn't try to do anything silly
  */
@@ -305,13 +307,19 @@ static void do_sys_vm86(struct kernel_vm
 	tsk->thread.screen_bitmap = info->screen_bitmap;
 	if (info->flags & VM86_SCREEN_BITMAP)
 		mark_screen_rdonly(tsk->mm);
+	__asm__ __volatile__("xorl %eax,%eax; movl %eax,%fs; movl %eax,%gs\n\t");
+	__asm__ __volatile__("movl %%eax, %0\n" :"=r"(eax));
+
+	/*call audit_syscall_exit since we do not exit via the normal paths */
+	if (unlikely(current->audit_context))
+		audit_syscall_exit(current, AUDITSC_RESULT(eax), eax);
+
 	__asm__ __volatile__(
-		"xorl %%eax,%%eax; movl %%eax,%%fs; movl %%eax,%%gs\n\t"
 		"movl %0,%%esp\n\t"
 		"movl %1,%%ebp\n\t"
 		"jmp resume_userspace"
 		: /* no outputs */
-		:"r" (&info->regs), "r" (task_thread_info(tsk)) : "ax");
+		:"r" (&info->regs), "r" (task_thread_info(tsk)));
 	/* we never return here */
 }
 
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -966,11 +966,6 @@ void audit_syscall_entry(struct task_str
 	if (context->in_syscall) {
 		struct audit_context *newctx;
 
-#if defined(__NR_vm86) && defined(__NR_vm86old)
-		/* vm86 mode should only be entered once */
-		if (major == __NR_vm86 || major == __NR_vm86old)
-			return;
-#endif
 #if AUDIT_DEBUG
 		printk(KERN_ERR
 		       "audit(:%d) pid=%d in syscall=%d;"
1	niro	70	From: Jason Baron <jbaron@redhat.com>
2			Date: Tue, 31 Jan 2006 21:56:28 +0000 (-0500)
3			Subject: [PATCH] make vm86 call audit_syscall_exit
4			X-Git-Url: http://www.kernel.org/git/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commitdiff;h=f38f300d4a0698791bb11294903702ddb1c4e9d8
5
6			[PATCH] make vm86 call audit_syscall_exit
7
8			hi,
9
10			The motivation behind the patch below was to address messages in
11			/var/log/messages such as:
12
13			Jan 31 10:54:15 mets kernel: audit(:0): major=252 name_count=0: freeing
14			multiple contexts (1)
15			Jan 31 10:54:15 mets kernel: audit(:0): major=113 name_count=0: freeing
16			multiple contexts (2)
17
18			I can reproduce by running 'get-edid' from:
19			http://john.fremlin.de/programs/linux/read-edid/.
20
21			These messages come about in the log b/c the vm86 calls do not exit via
22			the normal system call exit paths and thus do not call
23			'audit_syscall_exit'. The next system call will then free the context for
24			itself and for the vm86 context, thus generating the above messages. This
25			patch addresses the issue by simply adding a call to 'audit_syscall_exit'
26			from the vm86 code.
27
28			Besides fixing the above error messages the patch also now allows vm86
29			system calls to become auditable. This is useful since strace does not
30			appear to properly record the return values from sys_vm86.
31
32			I think this patch is also a step in the right direction in terms of
33			cleaning up some core auditing code. If we can correct any other paths
34			that do not properly call the audit exit and entries points, then we can
35			also eliminate the notion of context chaining.
36
37			I've tested this patch by verifying that the log messages no longer
38			appear, and that the audit records for sys_vm86 appear to be correct.
39			Also, 'read_edid' produces itentical output.
40
41			thanks,
42
43			-Jason
44
45			Signed-off-by: Jason Baron <jbaron@redhat.com>
46			Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
47			Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
48			---
49
50			--- a/arch/i386/kernel/vm86.c
51			+++ b/arch/i386/kernel/vm86.c
52			@@ -43,6 +43,7 @@
53			#include <linux/smp_lock.h>
54			#include <linux/highmem.h>
55			#include <linux/ptrace.h>
56			+#include <linux/audit.h>
57
58			#include <asm/uaccess.h>
59			#include <asm/io.h>
60			@@ -252,6 +253,7 @@ out:
61			static void do_sys_vm86(struct kernel_vm86_struct info, struct task_struct tsk)
62			{
63			struct tss_struct *tss;
64			+ long eax;
65			/*
66			* make sure the vm86() system call doesn't try to do anything silly
67			*/
68			@@ -305,13 +307,19 @@ static void do_sys_vm86(struct kernel_vm
69			tsk->thread.screen_bitmap = info->screen_bitmap;
70			if (info->flags & VM86_SCREEN_BITMAP)
71			mark_screen_rdonly(tsk->mm);
72			+ __asm__ __volatile__("xorl %eax,%eax; movl %eax,%fs; movl %eax,%gs\n\t");
73			+ __asm__ __volatile__("movl %%eax, %0\n" :"=r"(eax));
74			+
75			+ /call audit_syscall_exit since we do not exit via the normal paths /
76			+ if (unlikely(current->audit_context))
77			+ audit_syscall_exit(current, AUDITSC_RESULT(eax), eax);
78			+
79			__asm__ __volatile__(
80			- "xorl %%eax,%%eax; movl %%eax,%%fs; movl %%eax,%%gs\n\t"
81			"movl %0,%%esp\n\t"
82			"movl %1,%%ebp\n\t"
83			"jmp resume_userspace"
84			: /* no outputs */
85			- :"r" (&info->regs), "r" (task_thread_info(tsk)) : "ax");
86			+ :"r" (&info->regs), "r" (task_thread_info(tsk)));
87			/* we never return here */
88			}
89
90			--- a/kernel/auditsc.c
91			+++ b/kernel/auditsc.c
92			@@ -966,11 +966,6 @@ void audit_syscall_entry(struct task_str
93			if (context->in_syscall) {
94			struct audit_context *newctx;
95
96			-#if defined(__NR_vm86) && defined(__NR_vm86old)
97			- /* vm86 mode should only be entered once */
98			- if (major == __NR_vm86 \|\| major == __NR_vm86old)
99			- return;
100			-#endif
101			#if AUDIT_DEBUG
102			printk(KERN_ERR
103			"audit(:%d) pid=%d in syscall=%d;"